From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) by sourceware.org (Postfix) with ESMTP id C3AB63858D38 for ; Thu, 23 Jul 2020 21:11:15 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org C3AB63858D38 Received: from mail-qv1-f71.google.com (mail-qv1-f71.google.com [209.85.219.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-432-VVfO_LbfNVCV9zfIlFdrzA-1; Thu, 23 Jul 2020 17:11:13 -0400 X-MC-Unique: VVfO_LbfNVCV9zfIlFdrzA-1 Received: by mail-qv1-f71.google.com with SMTP id u10so4412056qvj.23 for ; Thu, 23 Jul 2020 14:11:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=D+SO72ryJhmlD5guesjZKH0dGGTOWb4XUfecpNARysA=; b=iIKq3rpNFR+Z2wqzrMRQDXX0p2xOsKO8U+4xT/gvUBeUSF3vH8HWM2UTaoucDpjlfs b2NZC32StTyyLou5PLXNL+x2GIafnMHikcav5y3bbzqmYFuUeMovThsDJbNv3NZk7HAk gqudcaWWoJ+QJpNBaDDTeXF2hioB5+O/slXZUM1fPAaIgvwwmgzy5ZMnvp+uAQ31hI8L i9LDoDIIJ2cMeqT3P1Gwtck8c5IiX7W6ltAYc35oNvPevEv2m8JuZuuN6Y9AQRB7GbJu rmfRxAZ+2C21tMH/qIHOVBui+BFKR9Ci/M/XiyPClBpQOjuwYjSpmjx5/LM2hGWOYuVE 9UEg== X-Gm-Message-State: AOAM533DVgTG9mp37FY5a1vBwk0So4g4zbEZFZr+ZO+9hhYxQNDYE7JZ u6ctzZqhiDbsE2vO/khDXpo/dTiZubprH6aSYQzm26zOZ6xQ2Ay20yxwOWDgVQMdc3RvBmTo8mg vG/z3ANgrXdpdaFDag3Pg X-Received: by 2002:a37:68c1:: with SMTP id d184mr7313037qkc.62.1595538672487; Thu, 23 Jul 2020 14:11:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwcmtOrRy3G4rG3uH/f3G2sXwzbySfiQhiTScP3CycHLj7OUzVxwgyw37fhvy/RJy7BZSttPg== X-Received: by 2002:a37:68c1:: with SMTP id d184mr7313016qkc.62.1595538672223; Thu, 23 Jul 2020 14:11:12 -0700 (PDT) Received: from [192.168.1.4] (198-84-170-103.cpe.teksavvy.com. [198.84.170.103]) by smtp.gmail.com with ESMTPSA id j24sm3614985qkl.79.2020.07.23.14.11.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 23 Jul 2020 14:11:11 -0700 (PDT) Subject: Re: [PATCH] nptl: Zero-extend arguments to SETXID syscalls [BZ #26248] To: "H.J. Lu" Cc: Florian Weimer , "H.J. Lu via Libc-alpha" References: <20200716112651.2257283-1-hjl.tools@gmail.com> <87o8ofy8e7.fsf@oldenburg2.str.redhat.com> <56cafa21-37ea-b39e-8c84-afb258f0d17a@redhat.com> <87sgdqp434.fsf@oldenburg2.str.redhat.com> <180ab9db-d012-52c9-736f-437eecafc35b@redhat.com> <91e0af7e-5f5c-a994-d7bf-dd94c45dcd71@redhat.com> From: Carlos O'Donell Organization: Red Hat Message-ID: <6276e59d-a363-32a8-10b1-5e19dc065d6d@redhat.com> Date: Thu, 23 Jul 2020 17:11:10 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.6 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jul 2020 21:11:17 -0000 On 7/23/20 4:03 PM, H.J. Lu wrote: > On Fri, Jul 17, 2020 at 2:22 PM Carlos O'Donell wrote: >> >> On 7/17/20 3:31 PM, H.J. Lu wrote: >>> On Fri, Jul 17, 2020 at 8:52 AM Carlos O'Donell wrote: >>>> >>>> On 7/17/20 11:13 AM, Florian Weimer wrote: >>>>> * Carlos O'Donell: >>>>> >>>>>> This test should run in a container, and it should attempt two setgroups >>>>>> calls, one with groups and one empty with a bad address. >>>>> >>>>> Why do you think this needs a container? >>>> >>>> We are trying to successfully call setgroups(), and to do that we need >>>> CAP_SETGID. The way this test is exercising this is by making the test >>>> an xtests which can require root and thus you get CAP_SETGID in that way. >>>> >>>> My suggestion is to move the test from xtests to tests-container to increase >>>> the usage of the test. In the container we have a CLONE_NEWUSER so we have >>>> a distinct usersnamespace that can be used in conjunction with becoming >>>> root, getting CAP_SETGID, and calling setgroups() without restricting this >>>> test to `make xcheck`. >>> >>> I see su in tst-localedef-path-norm.script. But when I removed "su" from >>> tst-localedef-path-norm.script, tst-localedef-path-norm still passed. There are >> >> The use "su" changes uid_map and gid_map to map our users to user 0 in the >> container, but doesn't explicitly deny us from writing to the files in the >> filesytem. The use of "su" in this test was belt-and-suspenders in case >> some code internally checked the uid/gid values. >> >>> [hjl@gnu-cfl-2 build-x86_64-linux]$ ls -l testroot.root >>> total 44 >>> drwxr-xr-x 2 hjl hjl 4096 Jul 17 09:16 bin >>> drwxr-xr-x 2 hjl hjl 4096 Jul 17 12:23 dev >>> drwxr-xr-x 2 hjl hjl 4096 Jul 17 09:34 etc >>> drwxr-xr-x 4 hjl hjl 4096 Jul 17 12:23 export >>> -rw-r--r-- 1 hjl hjl 0 Jul 17 09:16 install.stamp >>> drwxr-xr-x 2 hjl hjl 4096 Jul 17 09:16 libx32 >>> -rw-r--r-- 1 hjl hjl 0 Jul 17 12:26 lock.fd >>> drwxr-xr-x 5 hjl hjl 4096 Jul 17 12:23 output >>> drwxr-xr-x 2 hjl hjl 4096 Jul 17 12:23 proc >>> drwxr-xr-x 2 hjl hjl 4096 Jul 17 09:16 sbin >>> drwxr-xr-x 2 hjl hjl 4096 Jul 17 12:23 tmp >>> drwxr-xr-x 9 hjl hjl 4096 Jul 17 09:16 usr >>> drwxr-xr-x 3 hjl hjl 4096 Jul 17 09:34 var >>> [hjl@gnu-cfl-2 build-x86_64-linux]$ >>> >>> I don't think su is needed since testroot.root is owned by me. >> >> Correct. >> >>>> I see that we don't explicitly say `make xcheck` may require root. >>>> Is this something I just taught myself implicitly? :-) >>>> >>>> Note: We may need to adjust the gid_map writing code in test-container. >>>> >>> >>> Can you help me to make tst-setgroups pass when not running as root? >> >> Sure, let me have a look at running it as a test in the container. >> > > Any update on this? Not yet, I have 3 things on my plate: * AArch64 PAC+BTI enablement review. * nptl: Zero-extend arguments to SETXID syscalls. * FAIL: elf/tst-ldconfig-ld_so_conf-update Once I get the first done I'm going to work on this. If you can reproduce the last one on Fedora 32 that would be great. I don't know what the problem is. -- Cheers, Carlos.